Cybersecurity researchers have revealed that Ransom Hub’s online infrastructure was “inexplicably” offline as of April 1, 2025, citing concerns among affiliates of Ransomware Asa Asa Service (RAAS) operations.
Singapore’s cybersecurity company Group-IB said this could lead to affiliates moving to Qilin given the “DLS disclosure.” [data leak site] It’s doubled since February. ”
First appeared in February 2024, Ransomhub is estimated to have stolen data from over 200 victims. They replaced two well-known Raas groups, Lockbit and Blackcat, courting affiliates, including scattered Spider and Evil Corp, and their favorable payments were split.
“Following Nate’s potential to acquire web applications and ransomware source code (formerly Cyclops), Ransom Hub quickly rose in the ransomware scene. Thanks to the dynamic features of its multi-platform cryptocurrency and its aggressive, affiliate-friendly model that offers substantial financial incentives, Group-IB said in its report.
Ransomhub’s ransomware is designed to work on Windows, Linux, FreeBSD, and ESXi, X86, X64, and ARM architectures, avoiding attack companies in Independent States (CIS), Cuba, North Korea, and China. It also allows you to encrypt local and remote file systems via SMB and SFTP.
The Affiliate Panel is used to configure ransomware via a web interface and features a dedicated “Members” section that gives members of the affiliate group the option to create their own accounts on the device.
Affiliates also have a “killer” module available as of at least June 2024 to terminate and bypass security software using known vulnerable drivers (BYOVDs). However, the tool has since been discontinued due to high detection rates.
According to ESENTIRE and TREND MICRO, cyberattacks have also been observed to leverage JavaScript malware known as Socgholish (aka FakeUpdates) via compromised WordPress sites to deploy Python-based backdoors connected to Ransomhub affiliates.
“On November 25th, group operators released a new memo to their affiliate panel, announcing that attacks on government agencies are strictly prohibited,” the company said. “Therefore, all affiliates were invited to refrain from such conduct due to high risk and unemployable “investment returns.” ”
Security at Guide Point, which also observed downtime in the Ransom Hub infrastructure, said the series of events led to “affiliate anxiety,” and rival Raas Group Dragon Force, who claims that Ransom Hub “has decided to “go to infrastructure” under the “infrastructure” under the “Dragon Force Ransom Cartal.”
It is also worth noting that another Raas actor, known as BlackRock, has been rated as having started working with Dragonforce after denying the data leak site in late March 2025.
“These discussions at the Ramp Forum highlight the uncertainty surroundings that Ransombe affiliates believe are at the moment, and appear to be unaware of the group’s situation and their status,” GuidePoint Security said.
“It remains to be seen whether this instability will spell the beginning of the end of the Ransom Hub, but we cannot help but note that groups that have become famous for committing affiliate stability and security may have failed or betrayed by affiliate marketing on both counts.”
The SecureWorks Counter Threat Unit (CTU) tracked the Dragonforce brand as a “cartel.” He said the effort is part of a new business model designed to attract affiliates and increase profits by allowing affiliates to create their own “brands.”
This unlike traditional RAAS schemes in which core developers set up a dark web infrastructure and recruit affiliates from Cyber Crime Underground, implement the attack after procuring access to the target network from the Initial Access Broker (IAB) in exchange for 70% of ransom payments.
“In this model, Dragonforce offers infrastructure and tools, but there is no need for affiliates to deploy ransomware,” the Sophos-owned company said. “Advertised features include the admin panel and client panel, encryption and ransom negotiation tools, file storage systems, TOR-based leak sites and .Onion domains, and support services.”
Another ransomware group embracing novel tactics will use the “data ransom” fear-only option born in February 2025 to publish “investigation articles” containing analysis of stolen data and to pressure the victim by notifying the incident’s regulatory or compliant authorities.
“As the ransomware ecosystem continues to be bent, we are seeing more extensive experiments using a variety of operating models,” says Rafe Pilling, Director of Threat Intelligence at SecureWorks CTU. “Lockbit had mastered affiliate schemes, and it’s no surprise that we’ll see new schemes and methods being tested and tested in the wake of enforcement actions against them.”
This development coincides with the emergence of a new family of ransomware called Elenor-Corp, a variant of mimic ransomware.
“The ELENOR-CORP variant of mimic ransomware shows enhancements compared to previous versions, employing sophisticated anti-forced measurements, process tampering and encryption strategies.”
“This analysis highlights the evolving refinement of ransomware attacks and highlights the need for robust recovery strategies in high-risk industries such as aggressive defense, rapid incident response, and healthcare.”
Some of the other notable ransomware campaigns we’ve seen over the last few months are:
It targets the healthcare, education and industrial sectors of Taiwan, and uses the BYOVD technique to circumvent security measures through an open source tool named Zammocide Elysium. Individuals connected to the US Government Efficiency (DOGE) name misuse and government initiatives in email and phishing attacks have exploited zero-day vulnerabilities like Atlassian Zilla to distribute malware-covered ZIP files delivering ransomware hellcats and acquire early access hunters as internationally existed for early access hunters. Bespoke Data Exfiltration Program Interlock leverages the infamous Clickfix strategy to launch a multi-stage attack chain that deploys ransomware payloads, along with backdoors such as Interlock Rat and backdoors such as Lumma and BerserkStaler Qilin, along with backdoors such as Interlock Rat and backdoors such as Manekten Allen Regulation, and backdoors such as BerserkStealer Qilin, which use mascalation of Manekten Allen Regulation, which used Manekten Allen Regulation, which used Manekten Allen Regulation, which launched a ransomware attack on its AITM phishing kit and its customers (due to an affiliate called STAC4365).
These campaigns highlight the ever-evolving nature of ransomware and help demonstrate the ability of threat actors to innovate in the face of law enforcement disruption and leakage.
In fact, a new analysis of 200,000 internal blackbuster chat messages by the Incident Response Team and Security Team (first) forum reveals how ransomware groups operate, focusing on advanced social engineering technologies, and leveraging VPN vulnerabilities.
“Members known as “nur” are tasked with identifying key targets within the organization that are aiming to attack,” he said at first. “When they find someone who is influential (like managers or HR), they start contacting us over the phone.”
Source link
